Domain user passwords are an important part of the security of your Active Directory domain. An AD system administrator can manage domain password policies using Group Policy Objects and Password Settings Objects. In this article, we’ll show you how to set up or change the password complexity policy in Active Directory.
Active Directory Password Complexity
Password complexity policy settings in Active Directory include the following options:
- Minimum password length — parameter defines the minimum number of characters that must be contained in the password;
- Password must meet complexity requirements — the parameter determines whether the password should meet complexity: do not contain the account name (no more than two characters in a row from Username or Firstname), the password must contain 3 types of characters from the following list: uppercase letters (F, G, R), lowercase letters (f, y, x), numbers (1, 2, 3), and special characters (#, @, $);
- Enforce password history — defines the number of previous passwords stored to prevent their reuse by users.
Default domain password policy settings
By default, the following password complexity settings are configured in the AD domain based on Windows Server 2016:
Password Complexity Parameter
Minimum password length
Password must meet complexity requirements
Enforce password history
24 last password
If a user tries to set a password that does not match the password policy in the AD domain when logging into Windows or changing the password via Ctrl+Alt+Delete, an error message will be displayed:
Unable to update the password. The value provided for the new password does not meet the domain’s length, complexity, or history requirements.
Configuring the Active Directory password policy settings
In Windows Server 2008 R2+, you can use several password complexity policies.
The default password policy is enforced through the Default Domain Policy. Its settings can be changed using the Group Policy Management Console (gpmc.msc):
- Expand your forest and domain, find the Default Domain Policy, which is linked to the domain root by default;
- Select a policy and go to the Settings tab;
- You will see a report with the current password policies that apply to all Active Directory users by default;
- Let’s change the password policy complexity by increasing the minimal password length to 14 characters;
- Right-click on the policy and select Edit;
- Go to the following GPO section Computer Configuration > Policies >Windows Settings > Security Settings > Account Policies > Password Policies;
- Find the Minimum Password length parameter and open its Properties;
- Specify the value 14 in the Password must be at least field;
- Save your changes by clicking OK and closing the GPO Editor;
- At the next password change, all users will be required to set longer passwords.
Note. Learn how to activate Windows on KMS server.
Starting with the Windows Server 2008 R2 AD version, you can use personal password complexity policies for specific users or groups. This functionality is called Fine-Grained Password and Lockout Policies. The AD schema has two new object classes used by fine grained password policy, including Password Settings Container (PSC) and Password Setting Object (PSO).
- To create a custom password complexity policy in AD, run the Active Directory Administration Center (dsac.msc).
- Go to System > Password Settings Container and create a new Password Settings object;
- Specify a PSO and set custom password complexity settings.
- In the Direct Applies to field, add the users or groups that this PSO should apply to.
Your new password complexity settings will now apply to all users in the specified group.
You can display the current password policy settings for a specific user using PowerShell:
Get-ADUserResultantPasswordPolicy -Identity b.johnson
Frequently asked questions
What is the importance of configuring password complexity in Active Directory?
Configuring password complexity in Active Directory ensures that users generate strong and secure passwords, reducing the chances of compromising corporate passwords. It sets standards like minimum password length, the inclusion of uppercase letters, and complexity requirements to enhance security.
How can I change the default domain password policy in the Active Directory?
You can use the Group Policy Management Console to modify the default domain password policy. Navigate to the Default Domain Policy GPO, and under Computer Configuration, you’ll find Windows Settings > Security Settings > Account Policies. Here, you can adjust settings like minimum password age, maximum password age, and enforce password history.
Why is the minimum password length crucial in a domain password policy?
Minimum password length ensures that user-generated passwords have a certain number of characters, making them harder to guess and increasing resistance against password dictionaries. Combining this with complexity requirements like including lowercase letters further enhances the security of Active Directory passwords.
Can I have multiple password policies in my Active Directory?
Yes, starting from Windows Server 2008 R2, you can implement Fine Grained Password Policies, allowing you to create multiple password policies for different sets of users. This is particularly helpful when you have domain admin accounts requiring stricter policies than regular user accounts.
What’s the role of the Password Settings Container in Active Directory?
The Password Settings Container (PSC) is part of the Active Directory Administrative Center. Within the PSC, you can create Password Settings Objects (PSO), which define password and account lockout policies for users and global security groups. This offers flexibility beyond the default domain policy.
Why should we avoid using reversible encryption for storing passwords?
It you store passwords using reversible encryption poses a security risk. If attackers gain access to the encryption key, they can easily decipher user passwords, potentially compromising corporate passwords, especially critical ones like local admin passwords.
How often should password expiration policies be set in an Active Directory environment?
Password expiration ensures that users change their passwords regularly. However, too frequent password changes can lead to users writing down passwords or creating simpler ones. It’s essential to find a balance, considering factors like the nature of company login portals and the sensitivity of data accessed.
How does the password history policy help in securing Active Directory accounts?
Enforcing password history prevents users from reusing previous passwords. This ensures that even if an old password gets compromised, the user’s account remains secure, as they won’t be able to reuse that password for a specified number of changes.
Is it necessary to have both uppercase and lowercase letters in Active Directory password policy settings?
While it’s not mandatory, including uppercase and lowercase letters in password complexity requirements enhances password strength. It increases the number of possible password combinations, making it harder for attackers to guess or use brute-force methods.
How do frequent password changes impact the security of user passwords in Active Directory?
Frequent password changes can be a double-edged sword. While it minimizes the window of opportunity for attackers, it might lead users to choose simpler passwords or variations of old passwords. Pairing password change policies with multi-factor authentication can provide an added layer of security.
Configuring password complexity in Active Directory is important for strong security standards. Active Directory offers tools like the Group Policy Management Console and the Active Directory Administrative Center, making it easier for IT professionals to manage and apply password policies. It’s vital to set appropriate minimum password lengths, understand the importance of password history, and avoid methods like reversible encryption.
Organizations can use the fine-grained password policies feature to apply specific password policies to particular user groups. By understanding and using complexity requirements in Active Directory effectively, companies can help to bolster their cybersecurity posture and help prevent password breaches and compromise.